what if i want to get the difference between _indextime & start_time, i am trying with this : tostring(strftime(_indextime, "%Y/%m/%d %H:%M:%S") - strptime(start_time, "%Y/%m/%d %H:%M:%S"), "duration") but getting error like- Encountered the following error while trying to save: Operator requires numeric types My search is: index=xxx_xxx_firewall sourcetype IN(xxx:xxxxx, xxx:xxxxx) | eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S") | eval it = strptime(start_time, "%Y/%m/%d %H:%M:%S") | eval ot = strptime(receive_time, "%Y/%m/%d %H:%M:%S") | eval diff = tostring((ot - it), "duration") | table start_time, receive_time,indextime,_time, diff Can you please help if you have some insights on this.
... View more